kaparora/vault-install-azure-vm-service.sh

## vault-install-azure-vm-service.sh
#!/bin/bash

set -e

# Send the log output from this script to user-data.log, syslog, and the console
# From: https://alestic.com/2010/12/ec2-user-data-output/
exec > >(tee /var/log/user-data.log|logger -t user-data -s 2>/dev/console) 2>&1

sudo apt update && sudo apt install -y unzip jq

VAULT_ZIP="vault.zip"
VAULT_URL="https://releases.hashicorp.com/vault/1.4.3+ent/vault_1.4.3+ent_linux_amd64.zip"
curl --silent --output /tmp/$${VAULT_ZIP} $${VAULT_URL}
unzip -o /tmp/$${VAULT_ZIP} -d /usr/local/bin/
chmod 0755 /usr/local/bin/vault
chown azureuser:azureuser /usr/local/bin/vault
mkdir -pm 0755 /etc/vault.d
mkdir -pm 0755 /opt/vault
chown azureuser:azureuser /opt/vault

export VAULT_ADDR=http://127.0.0.1:8200

cat << EOF > /lib/systemd/system/vault.service
[Unit]
Description=Vault Agent
Requires=network-online.target
After=network-online.target
[Service]
Restart=on-failure
PermissionsStartOnly=true
ExecStartPre=/sbin/setcap 'cap_ipc_lock=+ep' /usr/local/bin/vault
ExecStart=/usr/local/bin/vault server -config /etc/vault.d/config.hcl
ExecReload=/bin/kill -HUP $MAINPID
KillSignal=SIGTERM
User=azureuser
Group=azureuser
[Install]
WantedBy=multi-user.target
EOF


cat << EOF > /etc/vault.d/config.hcl
storage "file" {
  path = "/opt/vault"
}
listener "tcp" {
  address     = "0.0.0.0:8200"
  tls_disable = 1
}
seal "azurekeyvault" {
  client_id      = "${client_id}"
  client_secret  = "${client_secret}"
  tenant_id      = "${tenant_id}"
  vault_name     = "${vault_name}"
  key_name       = "${key_name}"
}
ui=true
disable_mlock = true
EOF


sudo chmod 0664 /lib/systemd/system/vault.service
systemctl daemon-reload
sudo chown -R azureuser:azureuser /etc/vault.d
sudo chmod -R 0644 /etc/vault.d/*

cat << EOF > /etc/profile.d/vault.sh
export VAULT_ADDR=http://127.0.0.1:8200
export VAULT_SKIP_VERIFY=true
EOF

systemctl enable vault
systemctl start vault
	#!/bin/bash

	set -e

	# Send the log output from this script to user-data.log, syslog, and the console
	# From: https://alestic.com/2010/12/ec2-user-data-output/
	exec > >(tee /var/log/user-data.log\|logger -t user-data -s 2>/dev/console) 2>&1

	sudo apt update && sudo apt install -y unzip jq

	VAULT_ZIP="vault.zip"
	VAULT_URL="https://releases.hashicorp.com/vault/1.4.3+ent/vault_1.4.3+ent_linux_amd64.zip"
	curl --silent --output /tmp/$${VAULT_ZIP} $${VAULT_URL}
	unzip -o /tmp/$${VAULT_ZIP} -d /usr/local/bin/
	chmod 0755 /usr/local/bin/vault
	chown azureuser:azureuser /usr/local/bin/vault
	mkdir -pm 0755 /etc/vault.d
	mkdir -pm 0755 /opt/vault
	chown azureuser:azureuser /opt/vault

	export VAULT_ADDR=http://127.0.0.1:8200

	cat << EOF > /lib/systemd/system/vault.service
	[Unit]
	Description=Vault Agent
	Requires=network-online.target
	After=network-online.target
	[Service]
	Restart=on-failure
	PermissionsStartOnly=true
	ExecStartPre=/sbin/setcap 'cap_ipc_lock=+ep' /usr/local/bin/vault
	ExecStart=/usr/local/bin/vault server -config /etc/vault.d/config.hcl
	ExecReload=/bin/kill -HUP $MAINPID
	KillSignal=SIGTERM
	User=azureuser
	Group=azureuser
	[Install]
	WantedBy=multi-user.target
	EOF


	cat << EOF > /etc/vault.d/config.hcl
	storage "file" {
	path = "/opt/vault"
	}
	listener "tcp" {
	address = "0.0.0.0:8200"
	tls_disable = 1
	}
	seal "azurekeyvault" {
	client_id = "${client_id}"
	client_secret = "${client_secret}"
	tenant_id = "${tenant_id}"
	vault_name = "${vault_name}"
	key_name = "${key_name}"
	}
	ui=true
	disable_mlock = true
	EOF


	sudo chmod 0664 /lib/systemd/system/vault.service
	systemctl daemon-reload
	sudo chown -R azureuser:azureuser /etc/vault.d
	sudo chmod -R 0644 /etc/vault.d/*

	cat << EOF > /etc/profile.d/vault.sh
	export VAULT_ADDR=http://127.0.0.1:8200
	export VAULT_SKIP_VERIFY=true
	EOF

	systemctl enable vault
	systemctl start vault